Perfecting information security management rules and regulations (my textbook)
Establish and improve rules and regulations, and conscientiously implement them. Common information security management rules and regulations include:
(1) system operation and maintenance management system. Including equipment management and maintenance system, software maintenance system, user management system, key management system, various operating rules and norms, access control management duty system, and regular inspection or supervision system of various administrative departments. The computer room in the confidential place shall stipulate the system that two people enter and leave, and a single person is not allowed to operate the computer in the computer room. The door of the computer room is double-locked, so that it can be opened with two keys at the same time. The information processor is dedicated to the special plane and is not allowed to be used for other purposes. Terminal operators must exit the login interface when leaving the terminal to avoid unauthorized use by other personnel.
(2) Computer machining control management system. Including the compilation and control of data processing flow, the management of program software and data, the management of copying and transplanting, the management of storage media, the standardization of file records and the management of communication network system.
③ Document management. All kinds of vouchers, documents, account books, statements and written materials must be properly kept and strictly controlled; Cross-check bookkeeping; The information possessed by all kinds of personnel should be consistent with their responsibilities. For example, terminal operators can only use terminal operating procedures and manuals, and only system administrators can use system manuals.
(4) Management system of management personnel. Mainly includes:
● Specify the computer or server for specific use and operation, and define the job responsibilities, authority and scope;
● Programmers, system administrators and operators shall be separated, and they shall not mix posts;
● It is forbidden to do operations unrelated to work on the machine where the system is running;
● Do not run the program without authorization, and do not consult irrelevant parameters and confidential information;
● Report any abnormal operation or immediate operation;
● Establish and improve the management system for engineering and technical personnel;
● When transferring relevant personnel, corresponding safety management measures should be taken. Take back the key, hand over the work, change the password and cancel the account immediately when the personnel are transferred, and declare their confidentiality obligations to the transferred personnel.
⑤ Computer room safety management rules and regulations. Establish and improve the rules and regulations of computer room management, often carry out safety education and training for relevant personnel, and conduct regular or random safety inspections. Computer room management rules and regulations mainly include: computer room guard management, computer room safety work, computer room hygiene work, computer room operation management, etc. Computers can be managed like books.
6. Other important management systems. It mainly includes: system software and application software management system, data management system, password management system, network communication security management system, virus prevention management system, security level protection system, network electronic announcement system user registration and information management system, and foreign exchange maintenance management system.
⑦ Risk analysis and safety training
● Conduct system security risk analysis on a regular basis, and formulate emergency plans and recovery plans for sudden disasters. For example, the contact information of key technicians, the acquisition of backup data, and the organization of system reconfiguration.
● Establish and improve the system safety assessment training system. In addition to the assessment training for key personnel and new employees, we should also regularly carry out education and training on computer security laws and regulations, professional ethics education and computer network security technology update.
For staff engaged in important information such as national security, military secrets, financial or personnel files, more attention should be paid to safety education and training, and reliable and high-quality personnel should be selected.